The Social Engineer's Playbook Page 7
Documents and files
A free community version of Maltego comes preinstalled on Kali Linux. While the free community edition works wonderfully, there are some limitations.
To get the most out of Maltego, the commercial version is recommended.
In essence, Maltego can be used to efficiently gather information for social engineering purposes. The graphical user interface helps visually display relationships and aggregate information from sources all over the Internet – even if they are three or four degrees of separation away.
Maltego is available for download by following this link: http://www.paterva.com/web6/products/download2.php
Physical Tools
No social engineer’s tool bag would be complete without an assortment of physical tools. These tools can aid a tester in gathering information through surveillance and even through exploitation. For this section, we will discuss a few different categories of physical tools. A good social engineer should know how and when to utilize these tools to achieve the best results.
Cameras
We discussed cameras briefly in Chapter 5. Cameras are very useful tools for social engineers when it becomes necessary to visually capture and record information swiftly.
Photography equipment and tactics in the social engineering world is vastly different from those of the hobbyist photographer. Instead, there are several factors that differ greatly. First and foremost are the objective and the approach. Photographic surveillance almost always happens very quickly and often discreetly. As a result, there isn’t much time to frame and focus a shot. These factors play heavily into the social engineer’s methodology and their equipment choices.
Form Factor
The right camera equipment for the job arrives in many different forms. One of the most significant for the social engineer is the camera’s size. Most photos end up to be quick and dirty shots from the hip, not to mention discreet. Lugging around a camera with a big body, like some digital SLRs, would not be consistent with trying to be inconspicuous. Size matters.
To add a bit more complexity, some photos actually can be framed and focused. These types of shots are usually long distance surveillance in nature. One example of this type of surveillance might be used to gather information about the physical exterior of a building while being taken from inside a vehicle in the parking lot. In these situations, distance plays a significant role in the selection of camera equipment.
I recommend having at least two distinct cameras. Overall, their general purpose is for long distance surveillance opportunities and shoot from the hip covert/stealthy shots. See the table below for a couple of recommendations.
Distance and short-range camera recommendations:
Panasonic Lumix DMC-TZ40
Olympus Stylus SP-100
Covert Surveillance
Video
Covert video surveillance is ideal for information gathering when “casing the joint,” as they say. This allows the social engineer with the capability to record their surroundings without having to rely on memory alone. Captured footage can be reviewed at a later date to identify security controls, such as cameras and motion detectors. Footage can also be reviewed to measure distance as well as find other notable items of interest not initially discovered.
Thanks to the emergence of the “nanny cam” in recent years, there has been surge of covert cameras and listening devices on the market. These stealthy devices are capable of capturing and storing audio and video via cable or by wireless transmitter. They are often secretly housed in everyday household items, such as: teddy bears, clocks, vases and books.
Today, covert cameras can be found hidden inside items that are more germane to the corporate office world. In fact, there’s even been exponential growth in technology toward body-worn cameras. The application of body-worn cameras is almost limitless. There are so many to choose from and can be found readily available online. It is these types of cameras that provide the social engineer with the best possible results.
A well-equipped social engineer will have several covert cameras from which to use at any given time. Having a variety will enable the social engineer to respond quickly and effectively without giving away his or her motives. The table below represents a list of recommended cameras and their applications.
Recommended “must have” covert cameras:
Glasses camera
Button camera with USB cable
Pen camera
Bag camera
The covert cameras shown here are by no means the best or the only ones you’ll need. Different pretexts and tests will call for different equipment. However, these cameras are generic and all-purpose enough to be used during several pretexts.
Audio
Sometimes a social engineering test calls for the gathering of audio information. Perhaps, the goal of the test is to place a bug in the executive boardroom. Or maybe the test calls for a less complex approach. For simple applications, the pen camera is small and inconspicuous enough to satisfy these scenarios. However, for more involved or live-streaming needs, a more sophisticated configuration may be required.
For real-time monitoring of audio, a radio transmitting audio device is ideal. An all-purpose solution can be easily acquired online. See this link:
http://www.newegg.com/Product/Product.aspx?Item=9SIA2C51B21722&nm_mc=KNC-GoogleMKP&cm_mmc=KNC-GoogleMKP-_-pla-_-Wireless+Surveillance-_-9SIA2C51B21722
This kit contains a wireless audio bug that is powered by a 9-volt battery. The kit includes an FM receiver and earphones. The bug can provide about 1 to 3 days of remote audio, depending upon the quality of the battery. The signal can be picked up from about 200 to 300 meters away depending upon obstructions.
Wireless bug covert RF FM kit – Receiver, headphones, audio bug transmitter with 9v battery attachment
At the time of this writing, I have yet to upgrade from this kit. It works wonderfully for the everyday average complexity engagements. Therefore, I recommend this solution as an entry-level solution. For tests involving greater distances, longer listening time, greater clarity and greater security, a more professional solution would be required.
GPS
GPS vehicle tracking allows for the monitoring and routing of a target’s whereabouts. There could be several use cases where the need to map a target’s route is needed. For example, it may be necessary to learn about the target’s route to and from work. Using this device, a social engineer may be able to learn where the target often goes to lunch or spends their happy hour. All of this is important and useful information from which to leverage during a social engineering test.
Magnetic GPS tracker with USB interface
This tracking device is ultra-compact and easy to conceal in the undercarriage of a vehicle. Its powerful magnet will ensure it stays put. The target’s route can be displayed over a satellite image via Google Earth.
This device can be found here: http://www.proofpronto.com/gps-tracking-key.html
One important item to note is that this particular GPS tracker does not provide real-time GPS information. Therefore, you must install it and later retrieve it in order to obtain routing information. It will simply plug into any USB port running on any Windows-based OS. If your test requires real-time GPS tracking, there are other more expensive GPS trackers that will do the job.
Before engaging in GPS tracking of any individual, it must first be agreed upon with the client and fall well within the Rules of Engagement. Observe any local or state legal requirements as well.
Clothing
Having the right apparel is crucial. We discussed this in previous chapters. Social engineers must fly under the radar and not stand out in any way. The key is to blend in and not draw any attention. Depending upon the occasion, there may be several clothing requirements. They are too numerous to mention here. But the following list is designed to be an all-purpose recommendation for social engineers.
The following table is a recommendation for building out your social engin
eering closet. It is by no means an all-inclusive list, but should be extensive enough to satisfy a number of engagement scenarios. A portion of this list has been repeated from the Dumpster Diving section in the previous chapter.
The previous table may seem somewhat simplistic. But, these items have been in my social engineering wardrobe for many years. Along the way, I managed to pick up a few single use items, like a lab coat and a hardhat. Those engagements will come and go and you can’t necessarily start off and assemble a wardrobe to prepare for them. However, having some semblance of stock wardrobe will make social engineering go a little smoother.
Telephone
When you call a target during a social engineering excursion, you don’t want to be identified by your number and maybe not even your voice. There are several easy ways to spoof your number and mask your voice. The SpoofCard application is an IOS and Android app for smart phones that will spoof your number, change your voice, record the call and even add convincing background noise.
The SpoofCard mobile app for smart phones can be downloaded by following this link:
https://www.spoofcard.com/apps
SpoofCard is a for-pay commercial application with relatively reasonable package pricing.
Lock Picking
Lock picking is often associated with social engineering, red teaming and physical penetration testing. The topic is far too vast to be adequately covered here. However, there are countless online resources dedicated to the subject matter. Additionally, there are a number of books about lock picking as well. My advice is to follow the resources that will do it proper justice.
Bump Keys
As any lock picker would say, lock picking is a learned skill that takes time and a lot of practice. Having said that, there are some “shortcuts” on the market. Bump keys can aid an unskilled individual in the process of picking locks. While they may be useful, they should not be used as the only approach for picking locks. Instead, one should take the time to develop the skill over time and practice.
Lock picking may cause irreparable damage, so be sure this tactic is approved under the Rules of Engagement.
More information on locking picking and bump keys can be found by following these links: http://toool.us/ and http://acehackware.com/collections/
bump-keys
Miscellaneous Tools
This section will outline some miscellaneous tools a social engineer can use during any number of tests. This is a collection of some very useful tools that I use often and some that I wish I had.
Keylogger
The USB keylogger is a useful piece of equipment that simply plugs inline between the keyboard and the computer. Like the name says, it captures and stores keystrokes. Keystrokes can later be downloaded once the device is retrieved.
USB keylogger
VideoGhost
VideoGhost is similar to a Keylogger, it is a peripheral connection but instead it takes screen captures and stores the images on a ROM chip inside the connector.
Recording Night Vision Goggles
The name says it all. Great night vision capabilities with recording function to assist with information gathering/surveillance.
Covert Spy Cap
This records high-resolution video up to 1080P HD.
Lock Pick Gun (Snap Gun)
A lock pick gun is a tool that can be used to force open a lock without using the key. In some situations, it can be used to open a lock quicker than traditional lock picking but is more like to damage the lock.
Practical Lock Picking, Second Edition: A Physical Penetration Tester’s Training Guide, by Devian Ollam
Incognito Toolkit, by Rob Robideau
Unathorised Access: Physical Penetration Testing for IT Security Teams, by Wil Allsopp
Chapter 7:
The Playbook
Due to its creative element and limitless opportunities, pretexting is one of the most fascinating forms of social engineering. Many of the tactics and theories discussed in this book may be considered unethical in certain situations. For that reason, the tactics examined here should be used for ethical purposes only.
In this chapter, we’ll examine several tactics used by social engineers to manipulate targets through the fabrication of invented scenarios, known as pretexts. We will cover some of the most common pretexting tactics and learn through research and planning exercises.
The following plays will be covered in this chapter:
Spear phishing
Telephone
Baiting
Physical
Legal & Warranty Disclaimer
THE CONTENT IN THIS BOOK IS NOT INTENDED FOR ILLEGAL OR UNETHICAL PURPOSES. PRIOR TO MAKING USE OF THIS INFORMATION IN ANY FORM OR FASHION, FIRST CONSULT WITH ALL APPLICABLE LOCAL, STATE AND FEDERAL LAWS TO ENSURE LEGAL COMPLIANCE.
NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEB SITE IS REFERRED TO IN THIS WORK AS A CITATION, SOURCE OR OTHERWISE DOES NOT MEAN THAT THE AUTHOR OR PUBLISHER ENDORSES THE INFORMATION THE ORGANIZER OF THE WEB SITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE.
THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OF COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING OR OTHER PROFESSIONAL SERVICES.
Spear Phishing
Phishing attacks cast a wide net and attempt to reel in as many victims as possible, while spear phishing attacks are targeted attacks pointed directly at either a company, industry or even specific people. This next section will focus on spear phishing pretext tactics.
Security Bulletin!
Objective To assess the target’s adherence toward policy forbidding the opening of file attachments within email
Description This is a very basic attack designed to get a target or targets to open a malicious file that will open a reverse shell payload to your listening server
Prerequisites •Knowledge of the target e-mail address(es)
•SMTP relay server
•Social Engineer Toolkit (SET)
Tools & Equipment •Metasploit Framework
•Internet facing server for reverse shell listening connectivity
1.Launch SET, select Social Engineering Attacks -> Spear-Phishing Attack Vector -> then select Perform a Mass Email Attack
2.Select Adobe PDF Embedded EXE Social Engineering and opt for the built-in BLANK PDF, then select the Windows Reverse TCP Shell
3.Enter your IP address for the payload listener and the listening port (443)
4. Use the following FROM address: security.bulletin@microsoft.com
Play 5.Use the e-mail subject: Critical Microsoft Security Bulletin
6.Use the e-mail content: Dear Microsoft Customer
You are receiving this message because you are using Genuine Microsoft Software and your e-mail address has been subscribed to the Microsoft Windows Update mailing list.
A highly critical security vulnerability has appeared in the wild and was reported for the first time
Open the attached PDF file for simple instructions on how to protect your computer.
7.Send e-mail to targets
8.Monitor for results and wait for targets to connect.
Bank Security Email Alert
Objective To assess the target’s adherence toward policy forbidding the opening of file attachments within email
Description This pretext is a slightly different spin on a classic phishing test. But, we are not attempting to acquire banking information. The objective is to get the target to open a malicious file that will o
pen a reverse shell payload to your listening server.
•Knowledge of the target email address
Prerequisites •Knowledge of the target’s bank. This may be learned through surveillance, dumpster diving or GPS tracking.
•SMTP relay server
•Social Engineer Toolkit (SET)
Tools & Equipment •Metasploit Framework
•Internet facing server for reverse shell listening connectivity
1.Launch SET, select Social Engineering Attacks -> Spear-Phishing Attack Vector -> then select Perform a Mass Email Attack
2.Select Adobe PDF Embedded EXE Social Engineering and opt for the built-in BLANK PDF, then select the Windows Reverse TCP Shell
3.Enter your IP address for the payload listener and the listening port (443)
4.Use the following FROM address: fraud@[bankdomain.com]
Play 5.Use the email subject: Suspicious Account Activity
6.Use the email content: Dear Customer
You are receiving this message because you are a current [bank name] customer.
Our Fraud & Prevention department has noted several suspicious transactions on your account originating from multiple overseas merchants. Our policy states that we require your assistance in determining the legitimacy of any suspicious charges totaling over $10,000. Please see the instructions below.